Toolbox: Microsoft Malicious Software Removal Tool

In an era of fast-spreading worms that exploit system vulnerabilities, you need to keep your antiworm defenses strong through a solid defense-in-depth strategy that combines religious patch management, reliable antivirus software, network or even host-based firewalls, and additional tools to combat specific threats. Microsoft recently released one such tool, the Malicious Software Removal Tool, which, when used in conjunction with other antiworm defense strategies, helps you ensure that computers on your network remain free of notorious malware.

Released in January, the Malicious Software Removal Tool works with the Microsoft Windows Update program. In fact, Windows XP computers that are updated with Windows Update's Automatic Updates feature already have the tool. Microsoft regularly updates the tool on the second Tuesday of every month in conjunction with its release of new security updates. Even if it releases no new security updates, Microsoft might update the tool with new detection signatures and cleaning instructions.

The tool detects only worms that have already infected a system, so you can't use it in lieu of antivirus software that continuously protects your computers from a large selection of viruses and worms. However, the Malicious Software Removal Tool not only detects common malicious software but also removes the software from an infected system—something that most antivirus software programs don't do. (For example, Symantec offers many separately downloadable virus and worm scanning and cleaning tools, which can be cumbersome to use if you aren't sure what's infected your system.) As of May 2005, the tool detects and cleans the 21 worms that Table 1 lists. Microsoft selects worms for the tool to clean according to threat level—in general, the tool targets the most prevalent worms. The Malicious Software Removal Tool runs only on Windows Server 2003, XP, and Windows 2000; Windows NT 4.0, Windows Me, and Windows 9x aren't supported. Neither Microsoft Software Update Services (SUS) nor the new Windows Software Update Services (WSUS) support the tool.

Running the Tool
You can use the Malicious Software Removal Tool in a variety of ways to scan computers on your network. For home computers running XP Home or in situations in which you need to perform a quick scan and remediation, the most expedient solution is to visit http://www.microsoft.com/security/malwareremove and run the tool directly from the Microsoft site. Running the tool from the Web site requires you to install an ActiveX control, so you must use Internet Explorer (IE). This method is a great way to quickly check a system without having to download and run separate software, and it's also easy to walk your users through the process.

XP users might already have run the tool as part of Windows Update's Automatic Updates process. If you've configured Automatic Updates to automatically download and install security updates on any of your XP machines, then the Malicious Software Removal Tool will automatically be downloaded and will run each month when an updated version is available.

You can check your Automatic Updates configuration by opening the Control Panel System applet and selecting the Automatic Updates tab. Automatic (recommended) will be selected if Automatic Updates is configured for the machine. To determine whether the Malicious Software Removal Tool has run, look for the tool's log file in %windir%debugmrt.log, or in the registry under HKEY_LOCAL_MACHINESOFTWAREMicrosoftRemovalToolsMRT. For example, the March 2005 release contains the registry key version and the value F8327EEF-52AA-439A-9950-CE33CF0D4FDD.

To manually scan and clean Windows 2003, XP, and Win2K computers, download the Malicious Software Removal Tool from http://go.microsoft.com/fwlink/?linkid=40587 and run it locally under an account that's a member of the computer's Administrators group. The name of the tool will always be associated with Microsoft article number KB890830, but the version number will change each month as the tool is updated (e.g., Windows-KB890830-V1.2-ENU.exe). If you run the tool manually, make sure to use the most current version. The tool will notify you to download the most recent copy if you're running a version that's older than 60 days.

The current version of the tool doesn't support scanning remote systems, but you can use a logon script or other mechanism to run the program on remote target machines. You can use SMS 2003 to run the tool. Microsoft provides step-by-step directions for doing so in its article "Deployment of the Microsoft Malicious Software Removal Tool in an enterprise environment" (http://support.microsoft.com/?kbid=891716).

Automate Computer Scanning on Your Network
If your company uses Active Directory (AD), you can schedule computers to run the Malicious Software Removal Tool with a Group Policy Object (GPO) user logon or computer startup script. The tool requires administrative privileges to run, so if your users aren't administrators on their machines, use a startup script to execute the tool under Local System privileges. Microsoft provides useful samples for how to deploy this tool in a logon script in "Deployment of the Microsoft Malicious Software Removal Tool."

If you create a logon script to automatically run the tool on your users' computers, you can take programmatic action according to the program's exit code. Web Table 1 (http://www.windowsitpro.com/windowssecurity, InstantDoc ID 46590) lists these codes. For example, if the tool returns error code 9, At least one infection was detected and removed, but manual steps are required for complete removal and errors were encountered, your script could specify sending an email message or a pager alert to notify an administrator.

Reviewing the Results
The Malicious Software Removal Tool writes its findings to the log file located in %windir%debug and appends the results of each scan to mrt.log, which lets you keep a history of past scans. I've found it useful to use my logon script to parse the results of each scan and copy a simple summary to a centralized log file that I continuously monitor. The log file includes the status of the scan's results and any cleaning or removal actions. If a computer restart is necessary or if additional manual cleaning steps are needed at the conclusion of a scan, the tool will notify you.

Peace of Mind: Priceless
The Malicious Software Removal Tool gives you confidence that the most destructive worms of the moment haven't infected your computer. The next time a coworker, friend, or relative calls you because his or her computer is running slowly and you hear dead silence after you ask whether the computer's antivirus definitions are up-to-date, give instructions to visit the Microsoft Web site and download this tool. It offers modest protection that's useful in organizations of any size.